Exchange Security

Hi,

I'm planning an Exchange server installation within the next few weeks. We don't have an DMZ or FE/BE for Exchange and I'm concerned about allowing SSL and SMTP traffic straight into our LAN. We have a PIX as our perimeter firewall here lies my question: Is a PIX (SMTP, SSL open) alone secure enough or should I put ISA somewhere in the mix? I've read some articles suggestoing SSL through PIX is a vulnerability as PIX cannot read encrypted traffic. Anyone have any comments on this?

Ciderspine.
CiderspineAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
rafael_accCommented:
PIXs are usually good enough. But do not forget that to secure it it is not enough to have but to properly configure it. The same idea applies to the ISA box. For instance, you can have 3 Pixes, 1 ISA, ... but as long as they are not configured correctly ... see the idea??

Good knowledge on tcp/ip would allow you to set this up properly, even with a single PIX only.

Cheers
0
 
HyppyCommented:
Your PIX should be secure enough, as long as you specify only your exchange server in the ACL for SMTP/SSL access.
0
 
hstilesCommented:
SSL through to OWA on your Exchange Server is OK.  Plenty of companies operate without a FE/BE configuration.

However, I would strongly advise setting up a mail relay in a DMZ as this provides a physical barrier between your mail server and the outside world.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
Leon FesterSenior Solutions ArchitectCommented:
'I've read some articles suggestoing SSL through PIX is a vulnerability as PIX cannot read encrypted traffic. Anyone have any comments on this?'

I think what you possibly read could have been something along the lines of ISA 2004 being able to do stateful packet inspection on encrypted data.

Check out this link for some more info on ISA and Exchange.
http://www.microsoft.com/isaserver/evaluation/overview/default.mspx
0
 
CiderspineAuthor Commented:
Thanks for you comments - I suspected the PIX was secure enough.

I have a relay planned for SMTP. I take it if I wanted to relay SSL traffic to OWA I would have to run a FE xchange?

Ben
0
 
rafael_accCommented:
And the points are for me and ... ? :)

Cheers
0
 
CiderspineAuthor Commented:
Whoever answers this question gets the points.


I take it if I wanted to relay SSL traffic to OWA I would have to run a FE xchange?

0
 
Leon FesterSenior Solutions ArchitectCommented:
Not neccessarily OWA works independantly of whether your server is a FE or BE Server.

Ideally you'd wanna setup as a backend server...
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 
CiderspineAuthor Commented:
Thanks chaps!
0
 
rafael_accCommented:
Your question: "here lies my question: Is a PIX (SMTP, SSL open) alone secure enough or should I put ISA somewhere in the mix? I've read some articles suggestoing SSL through PIX is a vulnerability as PIX cannot read encrypted traffic. Anyone have any comments on this?"

My answer:
"PIXs are usually good enough. But do not forget that to secure it it is not enough to have but to properly configure it. The same idea applies to the ISA box. For instance, you can have 3 Pixes, 1 ISA, ... but as long as they are not configured correctly ... see the idea??

Good knowledge on tcp/ip would allow you to set this up properly, even with a single PIX only. "

This same answer was in "tune" with other users's answers as well ... I think there should've been a split. Also, I just cannot see where is dvt_localboy's answer better than mine. Could you please show me that??

Anyway ... I guess the moderator will decide ... they shold be saying something soon ....

Cheers
0
 
CiderspineAuthor Commented:
His answer was not 'better than yours' it was simply a more appropriate answer in my opinion.

Ciderspine. (because it's always summer in my world)
0
 
rafael_accCommented:
Just to clarify though ... I never meant that dvt_localboy didnt' deserve any points. He/she just didn't deserve all of them. As I stated already, there should have been a split. More clear than that I can't be!

Cheers
0
 
CiderspineAuthor Commented:
You don't like beans - Jelly beans?

I agree - I should have split the points. My mistake. Is there a way I can give you some points - I'm happy to do so? EE is such a fantastic resource and I think all of you experts who selflessly give your hard-earned knowledge and time to help others in the IT community deserve medals and I thank you all.

Really - you don't like jelly beans? I thought eveyone liked Jelly Beans?

Cheers matey! No hard feelings. Let's keep EE a place of knowlege and love.

Ciderspine
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.